05-24-2017 07:18 AM - edited 03-12-2019 02:24 AM
Hello
I would like to reach a sip proxy via vpn. My vpn pool is 10.201.252.1-254 and i see the followings in the log:
"Deny UDP reverse path check from 10.201.252.53 to 10.201.252.255 on interface inside"
Routing table:
S* 0.0.0.0 0.0.0.0 [1/0] via 7.8.9.10, outside
S 10.201.0.0 255.255.0.0 [2/0] via 10.201.254.2, inside
C 10.201.0.0 255.255.255.0 is directly connected, voip
L 10.201.0.1 255.255.255.255 is directly connected, voip
C 10.201.20.0 255.255.255.0 is directly connected, guest
L 10.201.20.1 255.255.255.255 is directly connected, guest
S 10.201.252.53 255.255.255.255 [1/0] via 7.8.9.10, outside
S 10.201.252.54 255.255.255.255 [1/0] via 7.8.9.10, outside
C 10.201.254.0 255.255.255.0 is directly connected, inside
L 10.201.254.1 255.255.255.255 is directly connected, inside
Do you have any idea?
Thanks, Johnni211
05-24-2017 02:28 PM
From:
https://supportforums.cisco.com/discussion/9935866/deny-udp-reverse-path-check
It means that inside interface received a packet from network that is NOT in firewall routing table...
Its enabled with command
ip verify reverse-path interface inside
You can disable this feature with command
no ip verify reverse-path interface inside
05-26-2017 12:03 AM
In this case i get the followings:
Deny inbound UDP from 10.201.252.56/138 to 10.201.252.255/138 on interface inside
But the acl:
access-list inside_access_in extended permit udp any any access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit ip any any access-list inside_access_in extended deny ip any any log warnings
access-group inside_access_in in interface inside
What is your opinion?
Thanks you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: